I have a function f(x,n) that takes a 128-bit key x, and generates n bytes of pseudo-random data. I've tested the output bytes this function for various keys with the NIST RNG testing suite (NIST Special Publication 800-22 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications) and the results were very good. What concerns are there before simply using the random bytes XORed with the plaintext as a stream cipher?

Edit:

I figured I'd add some more details. The best analogy I can come up with is that the bytes are random in the same way the digits of pi are random.

To be able to withstand cryptanalysis, are there any standard attacks that I should try, or should I just sit down and try my best to expose a weakness, then give it to someone who has more experience in cryptanalysis and ask them to do the same?

2 Answers
2

The property desired of stream ciphers, just like for any random number generators, is indistinguishability from true randomness — and indeed, any RNG that fails a statistical test suite is obviously not a good stream cipher.

However, to be considered secure, a stream cipher must not only withstand a generic battery of statistical tests; its output needs to be indistinguishable from a truly random bitstream even for an attacker who knows exactly how the cipher works (but doesn't know the key), allowing them to devise specific tests just for that algorithm.

This is the point where most non-crypto RNGs fail: there are various cryptanalytic techniques than can be used to devise specific tests to tell the output of a given algorithm from random data, and RNGs which are not specifically designed to withstand them will usually succumb to them.

Of course, as the state of the art advances, sometimes that can happen even for ciphers that were previously thought to be secure, but any cipher generally accepted as secure must at least have withstood a considerable amount of attention from the cryptanalytic community without being broken.

The two major concerns are speed and security. Modern stream ciphers are most likely much faster than typical RNGs. As for security, randomness is notoriously a difficult problem. Take the eStream project for example. There were a lot more submissions than what made it into the final portfolio. I'm guessing that they all passed NIST's RNG test suite, or they wouldn't have been accepted in the first place. Yet some didn't hold up to proper cryptanalysis. RC4 is another example. For a few years it was thought to be strong. Recent cryptanalysis has revealed some issues.

The bottom line is, no, a decent RNG (where decent is defined as passing NIST's tests) is not necessarily a good stream cipher. History has shown this repeatedly.